From d6357f23b9e85676cf0d3c5b8240160a838e1aff Mon Sep 17 00:00:00 2001 From: oznu Date: Wed, 28 Mar 2018 19:18:26 +1100 Subject: [PATCH] 0.12.0 (#10) --- .travis.yml | 3 + Dockerfile | 128 ++++++++-- Dockerfile.raspberry-pi | 128 ++++++++-- README.md | 22 +- root/502.html | 11 - root/cert.sh | 62 ----- root/defaults/combined.conf.template | 35 --- root/defaults/https.conf.template | 28 --- root/defaults/nginx.conf.template | 134 ---------- root/defaults/openssl.cnf | 354 --------------------------- root/defaults/wss.conf.template | 26 -- root/etc/cont-init.d/40-prepare | 27 +- root/etc/cont-init.d/60-config | 64 ----- root/etc/cont-init.d/70-nginx | 68 ----- root/etc/services.d/nginx/run | 18 +- root/etc/services.d/rabbitmq/run | 2 + root/etc/services.d/unms/run | 26 +- root/fill-template.sh | 19 -- root/letsencrypt.sh | 53 ---- root/start.sh | 9 - 20 files changed, 277 insertions(+), 940 deletions(-) delete mode 100644 root/502.html delete mode 100755 root/cert.sh delete mode 100644 root/defaults/combined.conf.template delete mode 100644 root/defaults/https.conf.template delete mode 100644 root/defaults/nginx.conf.template delete mode 100644 root/defaults/openssl.cnf delete mode 100644 root/defaults/wss.conf.template delete mode 100644 root/etc/cont-init.d/60-config delete mode 100644 root/etc/cont-init.d/70-nginx delete mode 100755 root/fill-template.sh delete mode 100755 root/letsencrypt.sh delete mode 100755 root/start.sh diff --git a/.travis.yml b/.travis.yml index 4496a8d..8b44d19 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,5 @@ +language: bash + services: - docker @@ -9,3 +11,4 @@ before_script: script: - ~/docker-arm-ci/run.sh + \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 6c64142..aeb89b3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,10 @@ # Multi-stage build - See https://docs.docker.com/engine/userguide/eng-image/multistage-build -FROM ubnt/unms:0.11.3 as unms +FROM ubnt/unms:0.12.0 as unms +FROM oznu/s6-node:8.10.0-amd64 -FROM oznu/s6-node:8.9.4 - -# Copy UNMS app from offical image since the source code is not published at this time -COPY --from=unms /home/app/unms /app - -WORKDIR /app - -RUN devDeps="vips-dev fftw-dev make python g++" \ - && sed -i 's/edge\/community/edge\/testing/g' /etc/apk/repositories \ - && apk add --no-cache ${devDeps} bash gzip vips openssl postgresql redis rabbitmq-server \ - && rm -rf /app/node_modules \ - && yarn install --ignore-engines \ +# base deps redis, rabbitmq +RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ + && apk add --no-cache vips redis rabbitmq-server \ && apk del ${devDeps} \ && deluser rabbitmq \ && addgroup -S rabbitmq && adduser -S -h /var/lib/rabbitmq -G rabbitmq rabbitmq \ @@ -21,23 +13,109 @@ RUN devDeps="vips-dev fftw-dev make python g++" \ && chmod -R 777 /var/lib/rabbitmq /etc/rabbitmq \ && ln -sf /var/lib/rabbitmq/.erlang.cookie /root/ -RUN devDeps="musl-dev gcc python python-dev py-pip libffi-dev openssl-dev" \ - && apk add --no-cache sudo dumb-init certbot openssl nginx nginx-mod-http-lua ${devDeps} \ - && pip install -U certbot-nginx \ - && apk del ${devDeps} \ - && echo "abc ALL=(ALL) NOPASSWD: /usr/sbin/nginx -s *" >> /etc/sudoers +# postgres 9.6.8 +RUN echo "http://dl-cdn.alpinelinux.org/alpine/v3.6/main" >> /etc/apk/repositories \ + && apk add --no-cache postgresql==9.6.8-r0 postgresql-client=9.6.8-r0 libpq=9.6.8-r0 \ + && sed -i '/v3.6/d' /etc/apk/repositories + +# start ubnt/unms dockerfile # +RUN mkdir -p /home/app/unms + +WORKDIR /home/app/unms + +# Copy UNMS app from offical image since the source code is not published at this time +COPY --from=unms /home/app/unms /home/app/unms + +RUN devDeps="vips-dev fftw-dev make python g++" \ + && apk add --no-cache ${devDeps} su-exec gzip bash vim dumb-init openssl vips libcap \ + && rm -rf node_modules \ + && JOBS=$(nproc) npm install \ + && apk del ${devDeps} \ + && mkdir -p -m 777 "$HOME/unms/public/site-images" \ + && mkdir -p -m 777 "$HOME/unms/data/config-backups" \ + && mkdir -p -m 777 "$HOME/unms/data/unms-backups" \ + && mkdir -p -m 777 "$HOME/unms/data/import" + +RUN setcap cap_net_raw=pe /usr/bin/node + +COPY --from=unms /usr/local/bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +RUN chmod +x /usr/local/bin/docker-entrypoint.sh +# end ubnt/unms dockerfile # + +# ubnt/nginx docker file # +ENV NGINX_UID=1000 \ + NGINX_VERSION=nginx-1.12.2 \ + LUAJIT_VERSION=2.1.0-beta3 + +RUN devDeps="wget openssl-dev pcre-dev zlib-dev build-base libffi-dev python-dev build-base" \ + && apk add --no-cache --update ${devDeps} sudo dumb-init openssl pcre libgcc gettext py-pip \ + && pip install certbot==0.21.0 \ + && mkdir -p /tmp/src && cd /tmp/src \ + && wget -q http://nginx.org/download/${NGINX_VERSION}.tar.gz -O nginx.tar.gz \ + && wget -q https://github.com/openresty/lua-nginx-module/archive/v0.10.11.tar.gz -O lua-nginx-module.tar.gz \ + && wget -q https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz -O ndk.tar.gz \ + && wget -q http://luajit.org/download/LuaJIT-${LUAJIT_VERSION}.tar.gz -O luajit.tar.gz \ + && tar -zxvf lua-nginx-module.tar.gz \ + && tar -zxvf ndk.tar.gz \ + && tar -zxvf luajit.tar.gz \ + && tar -zxvf nginx.tar.gz \ + && cd /tmp/src/LuaJIT-${LUAJIT_VERSION} && make amalg PREFIX='/usr' && make install PREFIX='/usr' \ + && export LUAJIT_LIB=/usr/lib/libluajit-5.1.so && export LUAJIT_INC=/usr/include/luajit-2.1 \ + && cd /tmp/src/${NGINX_VERSION} && ./configure \ + --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \ + --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -fPIC' \ + --with-pcre-jit \ + --with-threads \ + --add-module=/tmp/src/lua-nginx-module-0.10.11 \ + --add-module=/tmp/src/ngx_devel_kit-0.3.0 \ + --with-http_ssl_module \ + --with-http_realip_module \ + --with-http_gzip_static_module \ + --with-http_secure_link_module \ + --without-mail_pop3_module \ + --without-mail_imap_module \ + --without-http_upstream_ip_hash_module \ + --without-http_memcached_module \ + --without-http_auth_basic_module \ + --without-http_userid_module \ + --without-http_fastcgi_module \ + --without-http_uwsgi_module \ + --without-http_scgi_module \ + --prefix=/var/lib/nginx \ + --sbin-path=/usr/sbin/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --http-log-path=/dev/stdout \ + --error-log-path=/dev/stderr \ + --lock-path=/tmp/nginx.lock \ + --pid-path=/tmp/nginx.pid \ + --http-client-body-temp-path=/tmp/body \ + --http-proxy-temp-path=/tmp/proxy \ + && make -j $(nproc) \ + && make install \ + && apk del ${devDeps} \ + && rm /usr/bin/luajit-${LUAJIT_VERSION} \ + && rm -rf /tmp/src \ + && rm -rf /var/cache/apk/* \ + && echo "unms ALL=(ALL) NOPASSWD: /usr/sbin/nginx -s *" >> /etc/sudoers \ + && echo "unms ALL=(ALL) NOPASSWD:SETENV: /copy-user-certs.sh reload" >> /etc/sudoers + +ADD https://github.com/Ubiquiti-App/UNMS/archive/4a4cc87c476fec59fc8fed90ec1b0bf69dade8fd.tar.gz /tmp/unms.tar.gz + +RUN cd /tmp \ + && tar -xzf unms.tar.gz \ + && cd UNMS-*/src/nginx \ + && cp *.sh *.conf.template openssl.cnf 502.html / \ + && chmod +x /entrypoint.sh /cert.sh /letsencrypt.sh /fill-template.sh /copy-user-certs.sh +# end ubnt/nginx docker file # -ENV NODE_ENV=production \ - PATH=/app/node_modules/.bin:$PATH \ +ENV PATH=/home/app/unms/node_modules/.bin:$PATH \ PGDATA=/config/postgres \ POSTGRES_DB=unms \ - HOME=/var/lib/rabbitmq \ - PROD=true \ - HTTPS_PORT=443 \ + QUIET_MODE=0 \ PUBLIC_HTTPS_PORT=443 \ PUBLIC_WS_PORT=443 \ - UNMS_FLUENTD_PORT=80 \ - QUIET_MODE=0 + SECURE_LINK_SECRET=enigma \ + SSL_CERT="" EXPOSE 80 443 diff --git a/Dockerfile.raspberry-pi b/Dockerfile.raspberry-pi index d3e804b..69bf95f 100644 --- a/Dockerfile.raspberry-pi +++ b/Dockerfile.raspberry-pi @@ -1,18 +1,10 @@ # Multi-stage build - See https://docs.docker.com/engine/userguide/eng-image/multistage-build -FROM ubnt/unms:0.11.3 as unms +FROM ubnt/unms:0.12.0 as unms +FROM oznu/s6-node:8.10.0-armhf -FROM oznu/s6-node:8.9.4-armhf - -# Copy UNMS app from offical image since the source code is not published at this time -COPY --from=unms /home/app/unms /app - -WORKDIR /app - -RUN devDeps="vips-dev fftw-dev make python g++" \ - && sed -i 's/edge\/community/edge\/testing/g' /etc/apk/repositories \ - && apk add --no-cache ${devDeps} bash gzip vips openssl postgresql redis rabbitmq-server \ - && rm -rf /app/node_modules \ - && yarn install --ignore-engines \ +# base deps redis, rabbitmq +RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \ + && apk add --no-cache vips redis rabbitmq-server \ && apk del ${devDeps} \ && deluser rabbitmq \ && addgroup -S rabbitmq && adduser -S -h /var/lib/rabbitmq -G rabbitmq rabbitmq \ @@ -21,23 +13,109 @@ RUN devDeps="vips-dev fftw-dev make python g++" \ && chmod -R 777 /var/lib/rabbitmq /etc/rabbitmq \ && ln -sf /var/lib/rabbitmq/.erlang.cookie /root/ -RUN devDeps="musl-dev gcc python python-dev py-pip libffi-dev openssl-dev" \ - && apk add --no-cache sudo dumb-init certbot openssl nginx nginx-mod-http-lua ${devDeps} \ - && pip install -U certbot-nginx \ - && apk del ${devDeps} \ - && echo "abc ALL=(ALL) NOPASSWD: /usr/sbin/nginx -s *" >> /etc/sudoers +# postgres 9.6.8 +RUN echo "http://dl-cdn.alpinelinux.org/alpine/v3.6/main" >> /etc/apk/repositories \ + && apk add --no-cache postgresql==9.6.8-r0 postgresql-client=9.6.8-r0 libpq=9.6.8-r0 \ + && sed -i '/v3.6/d' /etc/apk/repositories + +# start ubnt/unms dockerfile # +RUN mkdir -p /home/app/unms + +WORKDIR /home/app/unms + +# Copy UNMS app from offical image since the source code is not published at this time +COPY --from=unms /home/app/unms /home/app/unms + +RUN devDeps="vips-dev fftw-dev make python g++" \ + && apk add --no-cache ${devDeps} su-exec gzip bash vim dumb-init openssl vips libcap \ + && rm -rf node_modules \ + && JOBS=$(nproc) npm install \ + && apk del ${devDeps} \ + && mkdir -p -m 777 "$HOME/unms/public/site-images" \ + && mkdir -p -m 777 "$HOME/unms/data/config-backups" \ + && mkdir -p -m 777 "$HOME/unms/data/unms-backups" \ + && mkdir -p -m 777 "$HOME/unms/data/import" + +RUN setcap cap_net_raw=pe /usr/bin/node + +COPY --from=unms /usr/local/bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +RUN chmod +x /usr/local/bin/docker-entrypoint.sh +# end ubnt/unms dockerfile # + +# ubnt/nginx docker file # +ENV NGINX_UID=1000 \ + NGINX_VERSION=nginx-1.12.2 \ + LUAJIT_VERSION=2.1.0-beta3 + +RUN devDeps="wget openssl-dev pcre-dev zlib-dev build-base libffi-dev python-dev build-base" \ + && apk add --no-cache --update ${devDeps} sudo dumb-init openssl pcre libgcc gettext py-pip \ + && pip install certbot==0.21.0 \ + && mkdir -p /tmp/src && cd /tmp/src \ + && wget -q http://nginx.org/download/${NGINX_VERSION}.tar.gz -O nginx.tar.gz \ + && wget -q https://github.com/openresty/lua-nginx-module/archive/v0.10.11.tar.gz -O lua-nginx-module.tar.gz \ + && wget -q https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.tar.gz -O ndk.tar.gz \ + && wget -q http://luajit.org/download/LuaJIT-${LUAJIT_VERSION}.tar.gz -O luajit.tar.gz \ + && tar -zxvf lua-nginx-module.tar.gz \ + && tar -zxvf ndk.tar.gz \ + && tar -zxvf luajit.tar.gz \ + && tar -zxvf nginx.tar.gz \ + && cd /tmp/src/LuaJIT-${LUAJIT_VERSION} && make amalg PREFIX='/usr' && make install PREFIX='/usr' \ + && export LUAJIT_LIB=/usr/lib/libluajit-5.1.so && export LUAJIT_INC=/usr/include/luajit-2.1 \ + && cd /tmp/src/${NGINX_VERSION} && ./configure \ + --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \ + --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -fPIC' \ + --with-pcre-jit \ + --with-threads \ + --add-module=/tmp/src/lua-nginx-module-0.10.11 \ + --add-module=/tmp/src/ngx_devel_kit-0.3.0 \ + --with-http_ssl_module \ + --with-http_realip_module \ + --with-http_gzip_static_module \ + --with-http_secure_link_module \ + --without-mail_pop3_module \ + --without-mail_imap_module \ + --without-http_upstream_ip_hash_module \ + --without-http_memcached_module \ + --without-http_auth_basic_module \ + --without-http_userid_module \ + --without-http_fastcgi_module \ + --without-http_uwsgi_module \ + --without-http_scgi_module \ + --prefix=/var/lib/nginx \ + --sbin-path=/usr/sbin/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --http-log-path=/dev/stdout \ + --error-log-path=/dev/stderr \ + --lock-path=/tmp/nginx.lock \ + --pid-path=/tmp/nginx.pid \ + --http-client-body-temp-path=/tmp/body \ + --http-proxy-temp-path=/tmp/proxy \ + && make -j $(nproc) \ + && make install \ + && apk del ${devDeps} \ + && rm /usr/bin/luajit-${LUAJIT_VERSION} \ + && rm -rf /tmp/src \ + && rm -rf /var/cache/apk/* \ + && echo "unms ALL=(ALL) NOPASSWD: /usr/sbin/nginx -s *" >> /etc/sudoers \ + && echo "unms ALL=(ALL) NOPASSWD:SETENV: /copy-user-certs.sh reload" >> /etc/sudoers + +ADD https://github.com/Ubiquiti-App/UNMS/archive/4a4cc87c476fec59fc8fed90ec1b0bf69dade8fd.tar.gz /tmp/unms.tar.gz + +RUN cd /tmp \ + && tar -xzf unms.tar.gz \ + && cd UNMS-*/src/nginx \ + && cp *.sh *.conf.template openssl.cnf 502.html / \ + && chmod +x /entrypoint.sh /cert.sh /letsencrypt.sh /fill-template.sh /copy-user-certs.sh +# end ubnt/nginx docker file # -ENV NODE_ENV=production \ - PATH=/app/node_modules/.bin:$PATH \ +ENV PATH=/home/app/unms/node_modules/.bin:$PATH \ PGDATA=/config/postgres \ POSTGRES_DB=unms \ - HOME=/var/lib/rabbitmq \ - PROD=true \ - HTTPS_PORT=443 \ + QUIET_MODE=0 \ PUBLIC_HTTPS_PORT=443 \ PUBLIC_WS_PORT=443 \ - UNMS_FLUENTD_PORT=80 \ - QUIET_MODE=0 + SECURE_LINK_SECRET=enigma \ + SSL_CERT="" EXPOSE 80 443 diff --git a/README.md b/README.md index a9ba20b..c6aee12 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Docker Build Status](https://img.shields.io/docker/build/oznu/unms.svg?label=x64%20build&style=for-the-badge)](https://hub.docker.com/r/oznu/unms/) [![Travis](https://img.shields.io/travis/oznu/docker-unms.svg?label=arm%20build&style=for-the-badge)](https://travis-ci.org/oznu/docker-unms) [![GitHub release](https://img.shields.io/github/release/oznu/unms/all.svg?style=for-the-badge)](https://github.com/oznu/docker-unms/releases) +[![Docker Build Status](https://img.shields.io/docker/build/oznu/unms.svg?label=x64%20build)](https://hub.docker.com/r/oznu/unms/) [![Travis](https://img.shields.io/travis/oznu/docker-unms.svg?label=arm%20build)](https://travis-ci.org/oznu/docker-unms) [![GitHub release](https://img.shields.io/github/release/oznu/unms/all.svg)](https://github.com/oznu/docker-unms/releases) # Docker UNMS @@ -12,7 +12,6 @@ This image will run on most platforms that support Docker including [Docker for docker run \ -p 80:80 \ -p 443:443 \ - -e PUID= -e PGID= \ -e TZ= \ -v :/config \ oznu/unms:latest @@ -34,25 +33,20 @@ The parameters are split into two halves, separated by a colon, the left hand si * `-p 80:80` - Expose the HTTP web server port on the docker host * `-p 443:443` - Expose the HTTPS and WSS web server port on the docker host * `-e TZ` - for [timezone information](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) e.g. `-e TZ=Europe/London` -* `-e PGID` - for GroupID - see below for explanation -* `-e PUID` - for UserID - see below for explanation *Optional Settings:* * `-e DEMO=false` - Enable UNMS demo mode * `-e PUBLIC_HTTPS_PORT=443` - This should match the HTTPS port your are exposing to on the docker host * `-e PUBLIC_WS_PORT=443` - This should match the HTTPS port your are exposing to on the docker host +* `-e SECURE_LINK_SECRET=` - Random key for secure link module. Set this to something random. -### User / Group Identifiers +## Limitations -Sometimes when using data volumes (`-v` flags) permissions issues can arise between the host OS and the container. We avoid this issue by allowing you to specify the user `PUID` and group `PGID`. Ensure the data volume directory on the host is owned by the same user you specify and it will "just work". +The Docker image, oznu/unms, is not maintained by or affiliated with Ubiquiti Networks. You should not expect any support from Ubiquiti when running UNMS using this image. -In this instance `PUID=1001` and `PGID=1001`. To find yours use `id user` as below: - -``` - $ id - uid=1001(dockeruser) gid=1001(dockergroup) groups=1001(dockergroup) -``` +* In-app upgrades will not work. You can upgrade UNMS by downloading the latest version of this image. +* Device firmware upgrades initiated from UNMS may not work ([#7](https://github.com/oznu/docker-unms/issues/7)). ## Docker Compose @@ -60,15 +54,13 @@ In this instance `PUID=1001` and `PGID=1001`. To find yours use `id user` as bel version: '2' services: homebridge: - image: oznu/unms:latest + image: oznu/unms:latest # use "armhf" instead of "latest" for arm devices restart: always ports: - 80:80 - 443:443 environment: - TZ=Australia/Sydney - - PGID=1000 - - PUID=1000 volumes: - ./volumes/unms:/config ``` diff --git a/root/502.html b/root/502.html deleted file mode 100644 index c275b8d..0000000 --- a/root/502.html +++ /dev/null @@ -1,11 +0,0 @@ - - - - - - UNMS is starting - - -

UNMS is starting. This should not take more than a minute.

- - diff --git a/root/cert.sh b/root/cert.sh deleted file mode 100755 index 9dea235..0000000 --- a/root/cert.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh - -set -e - -echo "Running cert.sh $*" -domain=$1 - -# if custom certificate is used, make sure that it is up to date -if [ ! -z "${SSL_CERT}" ]; then - CERT_FILE="/config/unms/cert/live.crt" - KEY_FILE="/config/unms/cert/live.key" - if ! [ "${CERT_FILE}" -ot "/config/usercert/${SSL_CERT}" ] \ - && ! [ "${KEY_FILE}" -ot "/config/usercert/${SSL_CERT_KEY}" ] \ - && ([ -z "${SSL_CERT_CA}" ] || ! [ "${CERT_FILE}" -ot "/config/usercert/${SSL_CERT_CA}" ]); - then - echo "Custom SSL certificate not changed, exiting" - exit 0 - fi - - if [ ! -z "${SSL_CERT_CA}" ]; then - echo "Joining '/config/usercert/${SSL_CERT}' and '/config/usercert/${SSL_CERT_CA}' into '${CERT_FILE}'" - cat "/config/usercert/${SSL_CERT}" "/config/usercert/${SSL_CERT_CA}" > /cert/live.crt - else - echo "Copying '/config/usercert/${SSL_CERT}' to '${CERT_FILE}'" - cp -a "/config/usercert/${SSL_CERT}" ${CERT_FILE} - fi - cp -a "/config/usercert/${SSL_CERT_KEY}" ${KEY_FILE} - - echo "Reloading Nginx configuration" - sudo /usr/sbin/nginx -s reload - exit 0 -fi - -# domain name is required -if [ -z "${domain}" ]; then - echo "No domain specified, exiting" - exit 1 -fi - -echo "Looking for an existing self-signed certificate for ${domain}" - -if [ -f "/config/unms/cert/${domain}.crt" ] && [ -f "/config/unms/cert/${domain}.key" ]; then - echo "Found existing self-signed certificate for ${domain}" -else - echo "Generating self-signed certificate for ${domain}" - - # determine subjectAltName - IP addressess need both IP and DNS, domains just need DNS - case "${domain}" in - *:*) SAN="IP:${domain},DNS:${domain}" ;; # contains ":" - IPv6 address - *[0-9]) SAN="IP:${domain},DNS:${domain}" ;; # ends with a digit - IPv4 address - *) SAN="DNS:${domain}" ;; # else domain name - esac - - SAN="${SAN}" openssl req -nodes -x509 -newkey rsa:4096 -subj "/CN=${domain}" -keyout "/config/unms/cert/${domain}.key" -out "/config/unms/cert/${domain}.crt" -days "36500" -batch -config "/defaults/openssl.cnf" -fi -ln -fs "./${domain}.crt" "/config/unms/cert/live.crt" -ln -fs "./${domain}.key" "/config/unms/cert/live.key" - -echo "Reloading Nginx configuration" -sudo /usr/sbin/nginx -s reload - -echo "cert.sh ${domain} finished successfully" diff --git a/root/defaults/combined.conf.template b/root/defaults/combined.conf.template deleted file mode 100644 index a92af20..0000000 --- a/root/defaults/combined.conf.template +++ /dev/null @@ -1,35 +0,0 @@ -map $http_upgrade $upstream { - default "websocket"; - '' "webserver"; -} - -server { - listen ##HTTPS_PORT##; - - ssl_certificate /config/unms/cert/live.crt; - ssl_certificate_key /config/unms/cert/live.key; - - ssl on; - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - ssl_prefer_server_ciphers on; - - location / { - proxy_pass http://$upstream; - proxy_redirect off; - proxy_set_header Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Referer ""; - client_max_body_size 0; - } - - error_page 502 /502.html; - location = /502.html { - root /; - } -} diff --git a/root/defaults/https.conf.template b/root/defaults/https.conf.template deleted file mode 100644 index b90c8bd..0000000 --- a/root/defaults/https.conf.template +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen ##HTTPS_PORT##; - - ssl_certificate /config/unms/cert/live.crt; - ssl_certificate_key /config/unms/cert/live.key; - - ssl on; - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - ssl_prefer_server_ciphers on; - - location / { - proxy_pass http://webserver; - proxy_redirect off; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Referer ""; - client_max_body_size 0; - } - - error_page 502 /502.html; - location = /502.html { - root /; - } -} diff --git a/root/defaults/nginx.conf.template b/root/defaults/nginx.conf.template deleted file mode 100644 index 6bb8781..0000000 --- a/root/defaults/nginx.conf.template +++ /dev/null @@ -1,134 +0,0 @@ -# user defines the user that will own and run the Nginx server -user abc nogroup; -# 'user nobody nobody;' for systems with 'nobody' as a group instead - -# Reference: http://docs.gunicorn.org/en/stable/deploy.html -# worker_processes defines the number of worker processes. -# A recommended value for this parameter is the number of cores that are being used by your server. -worker_processes 4; - -pid /tmp/nginx.pid; -error_log /dev/stderr; - -load_module /usr/lib/nginx/modules/ndk_http_module.so; -load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; - -events { - worker_connections 1024; # increase if you have lots of clients - accept_mutex on; # set to 'on' if nginx worker_processes > 1 -} - -http { - include mime.types; - # fallback in case we can't determine a type - default_type application/octet-stream; - access_log /dev/null; - error_log /dev/stderr; - client_body_temp_path /tmp 1 2; - proxy_temp_path /tmp 1 2; - sendfile on; - - set_real_ip_from ##LOCAL_NETWORK##; - real_ip_header X-Forwarded-For; - real_ip_recursive on; - - # limit device connection rate - map $http_upgrade $limit { - default device_connecting; - '' ""; - } - limit_req_zone $limit zone=throttle:1m rate=50r/s; - limit_req zone=throttle burst=500; - - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - upstream webserver { - server 127.0.0.1:8081; - } - - upstream websocket { - server 127.0.0.1:8082; - } - - server { - listen 12345; - - location /cert { - content_by_lua_block { - domain = ngx.var.arg_domain; - - -- don't continue if domain is empty or contains characters not allowed in domains or IP addresses - -- allowed characters are [a-z A-Z 0-9 . : -] - if not string.find(domain, "^[%w%.:-]+$") then - print('/cert called with invalid domain "' .. domain .. '"'); - ngx.status = 500 - ngx.say('Invalid domain') - return ngx.exit(500) - end - - print('Calling cert.sh "' .. domain .. '"'); - result=os.execute('/cert.sh "' .. domain .. '"') - if result ~= 0 then - ngx.status = 500 - ngx.say('Failed to create self-signed SSL certificate') - return ngx.exit(500) - else - ngx.say('OK') - return ngx.exit(200) - end - } - } - - location /letsencrypt { - content_by_lua_block { - domain = ngx.var.arg_domain; - - -- don't continue if domain is empty or contains characters not allowed in domains or IP addresses - -- allowed characters are [a-z A-Z 0-9 . : -] - if not string.find(domain, "^[%w%.:-]+$") then - print('/letsencrypt called with invalid domain "' .. domain .. '"'); - ngx.status = 400 - ngx.say('Invalid domain') - return ngx.exit(400) - end - - function execute(command) - -- returns success, error code, output. - local f = io.popen(command..' 2>&1 && echo " $?"') - local output = f:read"*a" - local begin, finish, code = output:find" (%d+)\n$" - output, code = output:sub(1, begin, -1), tonumber(code) - return code == 0 and true or false, code, output - end - - print('Calling letsencrypt.sh "' .. domain .. '"'); - success, code, output = execute('/letsencrypt.sh "' .. domain .. '"') - if code ~= 0 then - ngx.status = 500 - ngx.say(output) - return ngx.exit(500) - else - ngx.say('OK') - return ngx.exit(200) - end - } - } - } - - server { - listen 80 default; - - location /.well-known/acme-challenge { - root /www; - } - - location / { - return 301 https://$host:##PUBLIC_HTTPS_PORT##$request_uri; - } - } - - include /etc/nginx/conf.d/*.conf; -} diff --git a/root/defaults/openssl.cnf b/root/defaults/openssl.cnf deleted file mode 100644 index b12b5ce..0000000 --- a/root/defaults/openssl.cnf +++ /dev/null @@ -1,354 +0,0 @@ - -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -# Policies used by the TSA examples. -tsa_policy1 = 1.2.3.4.1 -tsa_policy2 = 1.2.3.4.5.6 -tsa_policy3 = 1.2.3.4.5.7 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = ./demoCA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -#unique_subject = no # Set to 'no' to allow creation of - # several ctificates with same subject. -new_certs_dir = $dir/newcerts # default place for new certs. - -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number - # must be commented out to leave a V1 CRL -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Comment out the following two lines for the "traditional" -# (and highly broken) format. -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options - -# Extension copying option: use with caution. -copy_extensions = copy - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crlnumber must also be commented out to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = default # use public key default MD -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString (PKIX recommendation before 2004) -# utf8only: only UTF8Strings (PKIX recommendation after 2004). -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. -string_mask = utf8only - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State - -localityName = Locality Name (eg, city) - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20 - -unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This is required for TSA certificates. -# extendedKeyUsage = critical,timeStamping - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -#subjectKeyIdentifier=hash - -#authorityKeyIdentifier=keyid:always,issuer - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -#basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -subjectAltName = ${ENV::SAN} -#keyUsage = digitalSignature, keyEncipherment - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always - -[ proxy_cert_ext ] -# These extensions should be added when creating a proxy certificate - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy -# An alternative to produce certificates that aren't -# deprecated according to PKIX. -# subjectAltName=email:move - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -# This really needs to be in place for it to be a proxy certificate. -proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo - -#################################################################### -[ tsa ] - -default_tsa = tsa_config1 # the default TSA section - -[ tsa_config1 ] - -# These are used by the TSA reply generation only. -dir = ./demoCA # TSA root directory -serial = $dir/tsaserial # The current serial number (mandatory) -crypto_device = builtin # OpenSSL engine to use for signing -signer_cert = $dir/tsacert.pem # The TSA signing certificate - # (optional) -certs = $dir/cacert.pem # Certificate chain to include in reply - # (optional) -signer_key = $dir/private/tsakey.pem # The TSA private key (optional) - -default_policy = tsa_policy1 # Policy if request did not specify it - # (optional) -other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -digests = md5, sha1 # Acceptable message digests (mandatory) -accuracy = secs:1, millisecs:500, microsecs:100 # (optional) -clock_precision_digits = 0 # number of digits after dot. (optional) -ordering = yes # Is ordering defined for timestamps? - # (optional, default: no) -tsa_name = yes # Must the TSA name be included in the reply? - # (optional, default: no) -ess_cert_id_chain = no # Must the ESS cert id chain be included? - # (optional, default: no) diff --git a/root/defaults/wss.conf.template b/root/defaults/wss.conf.template deleted file mode 100644 index ddefe93..0000000 --- a/root/defaults/wss.conf.template +++ /dev/null @@ -1,26 +0,0 @@ -server { - listen ##WS_PORT##; - - ##SSL_CERTIFICATE## - ##SSL_CERTIFICATE_KEY## - ##SSL_CERTIFICATE_CA## - - ssl on; - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; - ssl_prefer_server_ciphers on; - - location / { - proxy_pass http://websocket; - proxy_redirect off; - proxy_set_header Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Referer ""; - client_max_body_size 0; - } -} diff --git a/root/etc/cont-init.d/40-prepare b/root/etc/cont-init.d/40-prepare index 4a21317..2f3ea85 100644 --- a/root/etc/cont-init.d/40-prepare +++ b/root/etc/cont-init.d/40-prepare @@ -1,15 +1,26 @@ #!/usr/bin/with-contenv sh -# Logs -[ -e /config/logs ] || mkdir -p /config/logs -chown -R nobody:nobody /config/logs - # Redis [ -e /config/redis ] || mkdir -p /config/redis chown -R abc:abc /config/redis # UNMS -[ -e /config/unms ] || mkdir /config/unms -[ -e /app/data ] && rm -rf /app/data -ln -s /config/unms /app/data -chown -R abc:abc /config/unms +[ -e /config/unms ] || mv /home/app/unms/data /config/unms +[ -d /home/app/unms/data ] && rm -rf /home/app/unms/data +ln -s /config/unms /home/app/unms/data + +# Certs +[ -e /config/cert ] || mkdir -p /config/cert +ln -s /config/cert /cert + +# UNMS Logs +[ -e /config/unms/logs ] || mkdir -p /config/unms/logs +chown -R nobody:nobody /config/unms/logs + +# Service Logs +[ -e /config/logs ] || mkdir -p /config/logs +chown -R nobody:nobody /config/logs + +# Fix hosts file +echo "127.0.0.1 unms" >> /etc/hosts + diff --git a/root/etc/cont-init.d/60-config b/root/etc/cont-init.d/60-config deleted file mode 100644 index ce2fb60..0000000 --- a/root/etc/cont-init.d/60-config +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/with-contenv bash - -HOME_DIR="" -UNMS_DIR="${HOME_DIR}/app" -DATA_DIR="${UNMS_DIR}/data" -PUBLIC_DIR="${UNMS_DIR}/public" - -set -e -dirs=( - ${UNMS_DIR}/supportinfo - ${DATA_DIR}/cert - ${DATA_DIR}/images - ${DATA_DIR}/firmwares - ${DATA_DIR}/logs - ${DATA_DIR}/config-backups - ${DATA_DIR}/unms-backups - ${DATA_DIR}/import - ${DATA_DIR}/update -) - -links=( - "${PUBLIC_DIR}/site-images:${DATA_DIR}/images" - "${PUBLIC_DIR}/firmwares:${DATA_DIR}/firmwares" -) - -echo "Creating directories and setting permissions" - -# setpwd.sh is only accessible by root -chown root ${UNMS_DIR}/setpwd.sh -chmod 700 ${UNMS_DIR}/setpwd.sh - -# create dir for Letsencrypt challenge -# until we figure out how to move it under home dir (UNMS-1073) -leDir="${UNMS_DIR}/letsencrypt" -mkdir -p "${leDir}" -chown -R abc "${leDir}" -chmod -R u+rwX,g-rwx,o-rwx "${leDir}" - -# create cert dir symlink to data dir if not mounted by install script -if [ ! -d "${UNMS_DIR}/cert" ] && [ ! -L "${UNMS_DIR}/cert" ]; then - echo "Linking ${UNMS_DIR}/cert -> ${DATA_DIR}/cert" - ln -s "${DATA_DIR}/cert" "${UNMS_DIR}/cert" -fi - -# if cert dir was mounted by install script, delete cert under data dir -if [ ! -L "${UNMS_DIR}/cert" ]; then - rm -rf "${DATA_DIR}/cert" -fi - -for dir in "${dirs[@]}"; do - echo "creating ${dir}" - if [ ! -L "${dir}" ]; then mkdir -p "${dir}"; fi - chown -R abc:abc "${dir}" - chmod -R u+rwX,g-rwx,o-rwx "${dir}" -done - -for i in "${links[@]}"; do - IFS=':' read -ra LINK <<< "${i}" - linkFrom=${LINK[0]} - linkTo=${LINK[1]} - if [ -L "${linkFrom}" ] || [ -d "${linkFrom}" ]; then rm -rf "${linkFrom}"; fi - echo "Linking ${linkFrom} -> ${linkTo}" - ln -s "${linkTo}" "${linkFrom}" -done diff --git a/root/etc/cont-init.d/70-nginx b/root/etc/cont-init.d/70-nginx deleted file mode 100644 index 4e06a28..0000000 --- a/root/etc/cont-init.d/70-nginx +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/with-contenv sh - -# create directory for LetsEncrypt acme-challenge -echo "Creating /www directory" -mkdir /www -chown -R abc:abc /www - -# determine local network address -export LOCAL_NETWORK=$(ip route | tail -1 | cut -d' ' -f1) || true - -# create Nginx config files from templates -echo "Creating Nginx config files" -rm -f /etc/nginx/conf.d/* -/fill-template.sh "/defaults/nginx.conf.template" "/etc/nginx/nginx.conf" - -WS_PORT=${WS_PORT:-${HTTPS_PORT}} -if [ "${WS_PORT}" = "${HTTPS_PORT}" ]; then - /fill-template.sh "/defaults/combined.conf.template" "/etc/nginx/conf.d/combined.conf" -else - /fill-template.sh "/defaults/https.conf.template" "/etc/nginx/conf.d/https.conf" - /fill-template.sh "/defaults/wss.conf.template" "/etc/nginx/conf.d/wss.conf" -fi - -# delete the Let's Encrypt accounts directory if this is the first time that we run UNMS with integrated nginx -# this is necessary because the 'accounts/.../regr.json' file previously generated by the npm library -# is incompatible with the certbot tool in unms-nginx -if [ -z "${SSL_CERT}" ] && [ ! -f "/config/unms/cert/live.crt" ] && [ -d "/config/unms/cert/accounts" ]; then - echo "Deleting old LetsEncrypt 'accounts' directory" - rm -rf /config/unms/cert/accounts -fi - -# If a self signed certificate exists from UNMS versins without integrated nginx, reuse it. This is necessary, -# because UNMS UI will report an update failure if the certificate changes after the update. -# This requires determining the Common Name and renaming the certificate files. -if [ -z "${SSL_CERT}" ] && [ -f "/config/unms/cert/self-signed.crt" ] && [ -f "/config/unms/cert/self-signed.key" ]; then - echo "Found old certificate files, extracting Common Name..." - commonName=$(openssl x509 -noout -subject -in /config/unms/cert/self-signed.crt 2>/dev/null | sed -n '/^subject/s/^.*CN=//p' || true) - if [ ! -z "${commonName}" ]; then - echo "Renaming old certificate files from 'self-signed' to '${commonName}'" - mv -f "/config/unms/cert/self-signed.crt" "/config/unms/cert/${commonName}.crt" || echo "Failed to rename self-signed.crt to ${commonName}.crt" - mv -f "/config/unms/cert/self-signed.key" "/config/unms/cert/${commonName}.key" || echo "Failed to rename self-signed.key to ${commonName}.key" - else - echo "Failed to extract Common Name from old certificate file, will not reuse" - fi -fi - -# generate self-signed SSL certificate if none is provided or existing -if [ -z "${SSL_CERT}" ]; then - if [ -f /config/unms/cert/live.crt ] && [ -f /config/unms/cert/live.key ]; then - echo "Will use existing SSL certificate" - else - echo "Generating self-signed certificate without domain names" - SAN="DNS:localhost" openssl req -nodes -x509 -newkey "rsa:2048" -subj "/CN=localhost" -keyout "/config/unms/cert/live.key" -out "/config/unms/cert/live.crt" -days "36500" -batch -config "/defaults/openssl.cnf" - chown -R abc /config/unms/cert/* - fi -else - echo "Will use custom SSL certificate" - cp -a "/config/usercert/${SSL_CERT_KEY}" /config/unms/cert/live.key - if [ -z "${SSL_CERT_CA}" ]; then - cp -a "/config/usercert/${SSL_CERT}" /config/unms/cert/live.crt - else - # Unlike previous nodejs implementation, nginx needs certificate and chain - # in one file. - echo "Joining '/config/usercert/${SSL_CERT}' and '/config/usercert/${SSL_CERT_CA}' into '/config/unms/cert/live.crt'" - cat "/config/usercert/${SSL_CERT}" "/config/usercert/${SSL_CERT_CA}" > /cert/live.crt - fi - chown -R abc /config/unms/cert/* -fi diff --git a/root/etc/services.d/nginx/run b/root/etc/services.d/nginx/run index 7b23271..27c0f4e 100644 --- a/root/etc/services.d/nginx/run +++ b/root/etc/services.d/nginx/run @@ -1,4 +1,20 @@ #!/usr/bin/with-contenv sh +export HTTP_PORT=80 +export HTTPS_PORT=443 +export WS_PORT=443 +export UNMS_HTTP_PORT=8081 +export UNMS_WS_PORT=8082 +export UNMS_WS_SHELL_PORT=8083 +export UNMS_WS_API_PORT=8084 + echo "Starting nginx..." -s6-setuidgid root nginx -g 'daemon off;' + +# Run entrypoint +cd / +/entrypoint.sh + +# Fix permissions +chown -R unms:unms /cert /config/cert + +s6-setuidgid root nginx -g "daemon off;" diff --git a/root/etc/services.d/rabbitmq/run b/root/etc/services.d/rabbitmq/run index 58ccd6b..0417108 100644 --- a/root/etc/services.d/rabbitmq/run +++ b/root/etc/services.d/rabbitmq/run @@ -1,4 +1,6 @@ #!/usr/bin/with-contenv sh +export HOME=/var/lib/rabbitmq + echo "Starting rabbitmq-server..." exec rabbitmq-server diff --git a/root/etc/services.d/unms/run b/root/etc/services.d/unms/run index a394867..f23de34 100644 --- a/root/etc/services.d/unms/run +++ b/root/etc/services.d/unms/run @@ -1,22 +1,42 @@ #!/usr/bin/with-contenv sh +export HOME=/home/app +export HTTP_PORT=8081 +export WS_PORT=8082 +export WS_SHELL_PORT=8083 +export UNMS_RABBITMQ_HOST=localhost +export UNMS_RABBITMQ_PORT=5672 +export UNMS_REDISDB_HOST=localhost +export UNMS_REDISDB_PORT=6379 +export UNMS_PG_HOST=localhost +export UNMS_PG_PORT=5432 +export UNMS_FLUENTD_HOST=localhost +export UNMS_FLUENTD_PORT=8081 +export UNMS_NGINX_HOST=localhost +export UNMS_NGINX_PORT=12345 +export NODE_ENV=production + +# wait for postgres to come up until pg_isready; do echo "Waiting for postgres to come up..." sleep 1 done -# Create database if it does not exist +# Create postgres database if it does not exist psql -U postgres -lqt | cut -d \| -f 1 | grep -qw $POSTGRES_DB if [ $? -ne 0 ]; then + echo "Creating database..." createdb -U postgres -O postgres $POSTGRES_DB fi if [ "$QUIET_MODE" = "1" ]; then echo "Starting UNMS in quiet mode..." - s6-setuidgid abc /start.sh >> /config/unms/logs/unms.log 2>&1 + cd /home/app/unms + s6-setuidgid root docker-entrypoint.sh npm start >> /config/unms/logs/unms.log 2>&1 printf "\n\nUNMS exited, last 100 lines of log:\n\n" tail -n 100 /config/unms/logs/unms.log else - s6-setuidgid abc /start.sh 2>&1 | tee -a /config/unms/logs/unms.log + cd /home/app/unms + s6-setuidgid root docker-entrypoint.sh npm start 2>&1 | tee -a /config/unms/logs/unms.log fi diff --git a/root/fill-template.sh b/root/fill-template.sh deleted file mode 100755 index 538bf0f..0000000 --- a/root/fill-template.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -in=$1 -out=$2 - -WS_PORT=${WS_PORT:-${HTTPS_PORT}} -PUBLIC_HTTPS_PORT=${PUBLIC_HTTPS_PORT:-${HTTPS_PORT}} - -echo "Running fill-template.sh $*" - -cp -f "${in}" "${out}" - -sed -i -- "s|##LOCAL_NETWORK##|${LOCAL_NETWORK}|g" "${out}" -sed -i -- "s|##HTTP_PORT##|${HTTP_PORT}|g" "${out}" -sed -i -- "s|##HTTPS_PORT##|${HTTPS_PORT}|g" "${out}" -sed -i -- "s|##WS_PORT##|${WS_PORT}|g" "${out}" -sed -i -- "s|##UNMS_HTTP_PORT##|${UNMS_HTTP_PORT}|g" "${out}" -sed -i -- "s|##UNMS_WS_PORT##|${UNMS_WS_PORT}|g" "${out}" -sed -i -- "s|##PUBLIC_HTTPS_PORT##|${PUBLIC_HTTPS_PORT}|g" "${out}" diff --git a/root/letsencrypt.sh b/root/letsencrypt.sh deleted file mode 100755 index 4d6e95c..0000000 --- a/root/letsencrypt.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh - -set -e - -echo "Running letsencrypt.sh $*" -domain=$1 - -# don't do anything if user provides a custom certificate -if [ ! -z "${SSL_CERT}" ]; then - echo "Custom certificate is set up, exiting" - exit 0 -fi - -success=false - -# don't try to use Let's Encrypt for -# - anything that ends with a digit (cannot be a valid domain name) -# - anything with zero dots (cannot be a valid domain name) -# - anything that contains : (must be an IPv6 address) -if echo "${domain}" | grep "[0-9]$" &>/dev/null \ - || echo "${domain}" | grep "^[^.]*$" &>/dev/null \ - || echo "${domain}" | grep ":" &>/dev/null -then - echo "Let's Encrypt can only be used for fully qualified domain names." -else - echo "Generating certificate for ${domain} using Let's Encrypt" - if certbot certonly \ - --register-unsafely-without-email \ - --keep-until-expiring \ - --agree-tos \ - --webroot \ - --webroot-path "/www" \ - --logs-dir "/tmp" \ - --config-dir "/config/unms/cert" \ - --work-dir "/tmp" \ - --domain "${domain}" - then - success=true - ln -fs "./live/${domain}/fullchain.pem" "/config/unms/cert/live.crt" - ln -fs "./live/${domain}/privkey.pem" "/config/unms/cert/live.key" - - echo "Reloading Nginx configuration" - sudo /usr/sbin/nginx -s reload - fi -fi - -if [ "${success}" = true ]; then - echo "letsencrypt.sh ${domain} finished successfully" - exit 0 -else - echo "letsencrypt.sh ${domain} finished with an error" - exit 1 -fi diff --git a/root/start.sh b/root/start.sh deleted file mode 100755 index 0fa233f..0000000 --- a/root/start.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -cd /app - -# Database migrations -node node_modules/sequelize-cli/bin/sequelize db:migrate - -echo "Starting unms..." -exec node --optimize_for_size --max_old_space_size=1000 --gc_interval=120 index.js